From c637a192a3def2d7297186206e037ec5207e020f Mon Sep 17 00:00:00 2001 From: Abilio Marques Date: Mon, 29 Mar 2021 06:54:46 +0200 Subject: [PATCH 1/3] add support for tlsv1.3 ciphers Signed-off-by: Abilio Marques --- lib/mosquitto_internal.h | 1 + lib/net_mosq.c | 11 +++++++++++ lib/options.c | 16 +++++++++++----- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/lib/mosquitto_internal.h b/lib/mosquitto_internal.h index e69fe751..4c9779b7 100644 --- a/lib/mosquitto_internal.h +++ b/lib/mosquitto_internal.h @@ -254,6 +254,7 @@ struct mosquitto { int (*tls_pw_callback)(char *buf, int size, int rwflag, void *userdata); char *tls_version; char *tls_ciphers; + char *tls_13_ciphers; char *tls_psk; char *tls_psk_identity; char *tls_engine; diff --git a/lib/net_mosq.c b/lib/net_mosq.c index d42d83a7..a4c617ef 100644 --- a/lib/net_mosq.c +++ b/lib/net_mosq.c @@ -760,6 +760,17 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) return MOSQ_ERR_TLS; } } + +#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) + if(mosq->tls_13_ciphers){ + ret = SSL_CTX_set_ciphersuites(mosq->ssl_ctx, mosq->tls_13_ciphers); + if(ret == 0){ + log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set TLS 1.3 ciphersuites. Check cipher_tls13 list \"%s\".", mosq->tls_13_ciphers); + return MOSQ_ERR_TLS; + } + } +#endif + if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_use_os_certs){ ret = net__tls_load_ca(mosq); if(ret != MOSQ_ERR_SUCCESS){ diff --git a/lib/options.c b/lib/options.c index deb7c01f..900d5f65 100644 --- a/lib/options.c +++ b/lib/options.c @@ -231,14 +231,20 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl mosq->tls_version = mosquitto__strdup("tlsv1.2"); if(!mosq->tls_version) return MOSQ_ERR_NOMEM; } + + mosq->tls_ciphers = NULL; + mosq->tls_13_ciphers = NULL; + if(ciphers){ - mosq->tls_ciphers = mosquitto__strdup(ciphers); - if(!mosq->tls_ciphers) return MOSQ_ERR_NOMEM; - }else{ - mosq->tls_ciphers = NULL; + if(!strcasecmp(tls_version, "tlsv1.3")){ + mosq->tls_13_ciphers = mosquitto__strdup(ciphers); + if(!mosq->tls_13_ciphers) return MOSQ_ERR_NOMEM; + }else{ + mosq->tls_ciphers = mosquitto__strdup(ciphers); + if(!mosq->tls_ciphers) return MOSQ_ERR_NOMEM; + } } - return MOSQ_ERR_SUCCESS; #else return MOSQ_ERR_NOT_SUPPORTED; From c68be2999250261ff625b02784fa9864ff46e437 Mon Sep 17 00:00:00 2001 From: Abilio Marques Date: Mon, 29 Mar 2021 06:55:18 +0200 Subject: [PATCH 2/3] add cipher settings for bridges Signed-off-by: Abilio Marques --- src/bridge.c | 2 ++ src/conf.c | 20 ++++++++++++++++++++ src/mosquitto_broker_internal.h | 2 ++ 3 files changed, 24 insertions(+) diff --git a/src/bridge.c b/src/bridge.c index 079479e2..562c38a0 100644 --- a/src/bridge.c +++ b/src/bridge.c @@ -99,6 +99,8 @@ static struct mosquitto *bridge__new(struct mosquitto__bridge *bridge) new_context->tls_version = bridge->tls_version; new_context->tls_insecure = bridge->tls_insecure; new_context->tls_alpn = bridge->tls_alpn; + new_context->tls_ciphers = bridge->tls_ciphers; + new_context->tls_13_ciphers = bridge->tls_13_ciphers; new_context->tls_engine = db.config->default_listener.tls_engine; new_context->tls_keyform = db.config->default_listener.tls_keyform; #ifdef FINAL_WITH_TLS_PSK diff --git a/src/conf.c b/src/conf.c index 8b8190da..85a2b0e8 100644 --- a/src/conf.c +++ b/src/conf.c @@ -988,6 +988,26 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct if(conf__parse_string(&token, "bridge_alpn", &cur_bridge->tls_alpn, &saveptr)) return MOSQ_ERR_INVAL; #else log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge and/or TLS support not available."); +#endif + }else if(!strcmp(token, "bridge_ciphers")){ +#if defined(WITH_BRIDGE) && defined(WITH_TLS) + if(!cur_bridge){ + log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); + return MOSQ_ERR_INVAL; + } + if(conf__parse_string(&token, "bridge_ciphers", &cur_bridge->tls_ciphers, &saveptr)) return MOSQ_ERR_INVAL; +#else + log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge and/or TLS support not available."); +#endif + }else if(!strcmp(token, "bridge_ciphers_tls1.3")){ +#if defined(WITH_BRIDGE) && defined(WITH_TLS) + if(!cur_bridge){ + log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); + return MOSQ_ERR_INVAL; + } + if(conf__parse_string(&token, "bridge_ciphers_tls1.3", &cur_bridge->tls_13_ciphers, &saveptr)) return MOSQ_ERR_INVAL; +#else + log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge and/or TLS support not available."); #endif }else if(!strcmp(token, "bridge_bind_address")){ #if defined(WITH_BRIDGE) && defined(WITH_TLS) diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h index a48f81a4..7d35f573 100644 --- a/src/mosquitto_broker_internal.h +++ b/src/mosquitto_broker_internal.h @@ -566,6 +566,8 @@ struct mosquitto__bridge{ char *tls_keyfile; char *tls_version; char *tls_alpn; + char *tls_ciphers; + char *tls_13_ciphers; # ifdef FINAL_WITH_TLS_PSK char *tls_psk_identity; char *tls_psk; From ec736368848d83938f9628e30b03de4fdf9023b8 Mon Sep 17 00:00:00 2001 From: Abilio Marques Date: Mon, 29 Mar 2021 06:56:38 +0200 Subject: [PATCH 3/3] mention ciphers settings in documentation, minor sync of missing config settings Signed-off-by: Abilio Marques --- man/mosquitto.conf.5.xml | 57 +++++++++++++++++++++++++++------------- mosquitto.conf | 23 ++++++++++++++++ 2 files changed, 62 insertions(+), 18 deletions(-) diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml index e261776b..528cd2ae 100644 --- a/man/mosquitto.conf.5.xml +++ b/man/mosquitto.conf.5.xml @@ -2006,6 +2006,24 @@ topic clients/total in 0 test/mosquitto/org/ $SYS/broker/ Defaults to true. + + [ lazy | immediate ] + + If you change bridge options in the configuration file, + those configuration changes are applied during a bridge + reconnection. The option + determines when that reconnection happens, and can be set to either + lazy or immediate. + + lazy is the default, and means + that any connected bridge will remain in its current state until + a natural reconnection happens, at which point the new configuration + will be used. + + immediate forces a reconnection and so + uses the new configuration straight away. + + SSL/TLS Support @@ -2107,24 +2125,6 @@ topic clients/total in 0 test/mosquitto/org/ $SYS/broker/ can be used on one bridge at once. - - [ lazy | immediate ] - - If you change bridge options in the configuration file, - those configuration changes are applied during a bridge - reconnection. The option - determines when that reconnection happens, and can be set to either - lazy or immediate. - - lazy is the default, and means - that any connected bridge will remain in its current state until - a natural reconnection happens, at which point the new configuration - will be used. - - immediate forces a reconnection and so - uses the new configuration straight away. - - [ true | false ] @@ -2145,6 +2145,27 @@ topic clients/total in 0 test/mosquitto/org/ $SYS/broker/ connection to succeed. + + cipher:list + + + The list of allowed ciphers for this bridge, for + TLS v1.2 and earlier only, each separated with + a colon. Available ciphers can be obtained using + the "openssl ciphers" command. + + + + + cipher:list + + + The list of allowed ciphersuites for this bridge, + for TLS v1.3, each separated with a colon. + + + + diff --git a/mosquitto.conf b/mosquitto.conf index 09897c51..51c72fd3 100644 --- a/mosquitto.conf +++ b/mosquitto.conf @@ -300,6 +300,10 @@ # Path to the PEM encoded keyfile. #keyfile +# Configure the minimum version of the TLS protocol to be used for this listener. +# Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. +#tls_version tlsv1.2 + # If you wish to control which encryption ciphers are used, use the ciphers # option. The list of available ciphers can be optained using the "openssl # ciphers" command and should be provided in the same format as the output of @@ -878,6 +882,9 @@ # requested. Note that WebSockets support for bridges is not yet available. #bridge_alpn +# Require the use of Online Certificate Status Protocol (OCSP) for this bridge +#bridge_require_ocsp false + # When using certificate based encryption, bridge_insecure disables # verification of the server hostname in the server certificate. This can be # useful when testing initial server configurations, but makes it possible for @@ -893,6 +900,22 @@ # Path to the PEM encoded client private key, if required by the remote broker. #bridge_keyfile +# Configure the version of the TLS protocol to be used for this bridge. +# Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. Defaults to tlsv1.2. +# The remote broker must support the same version of TLS for the connection to succeed. +#bridge_tls_version + +# If you wish to control which encryption ciphers are used, use the ciphers +# option. The list of available ciphers can be optained using the "openssl +# ciphers" command and should be provided in the same format as the output of +# that command. This applies to TLS 1.2 and earlier versions only. Use +# bridge_ciphers_tls1.3 for TLS v1.3. +#bridge_ciphers + +# Choose which TLS v1.3 ciphersuites are used for this bridge. +# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" +#bridge_ciphers_tls1.3 + # ----------------------------------------------------------------- # PSK based SSL/TLS support # -----------------------------------------------------------------